Security Data Is Still Overwhelming Every SOC’s Capacity

Mike Armistead
by Mike Armistead
category Perspective

The volume and scope of security data are far outstripping a SOC’s capacity.  The very technologies that were deployed to stop the numerous threats all generate their own signals.  The often quoted “every SOC averages 40-60 vendor products installed” illustrates this factor.  For good reasons, SOCs have a lot of tooling – but because these devices were built to send alerts when something looks fishy, they both help and exacerbate the SOC’s ability to meet its objectives.

And, it isn’t just the volume that is the problem.  With every new tool comes necessary expertise to understand its output and engineer its on-going efficacy.  With limited resources to become experts at all those SOC tools, some inevitably fall by the wayside. It’s no wonder that SOCs don’t want another alert.

This isn’t a new problem.  SOCs have been fighting data overload since they were first built.  In fact, the promise most associated with the now decades-old SIEMs category – bequeathed to Security Analytics and now machine learning products – is that technology will gather logs/data from security devices and contextual sources far and wide, correlate results and provide answers from this avalanche of data.

Unfortunately, the scale, variety of alerts and, of course, the shortage of people that can do the data science, engineering, and analysis, makes delivering on this promise out of reach for most every SOC.
We see the gap widening due to exponential data growth and the scarcity of skilled security professionals who could use the data to be effective.  The solution isn’t clearcut and we believe demands that the industry rethink the current approach.